{"id":220035,"date":"2026-05-26T03:35:06","date_gmt":"2026-05-26T07:35:06","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/05\/26\/npm-adds-2fa-gated-publishing-and-package-install-controls-against-supply-chain-attacks\/"},"modified":"2026-05-26T03:35:10","modified_gmt":"2026-05-26T07:35:10","slug":"npm-adds-2fa-gated-publishing-and-package-install-controls-against-supply-chain-attacks","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/05\/26\/npm-adds-2fa-gated-publishing-and-package-install-controls-against-supply-chain-attacks\/","title":{"rendered":"npm Adds 2FA-Gated Publishing and Package Install Controls Against Supply Chain Attacks"},"content":{"rendered":"

npm Adds 2FA-Gated Publishing and Package Install Controls Against Supply Chain Attacks<\/a><\/p>\n

https:\/\/thehackernews.com\/2026\/05\/npm-adds-2fa-gated-publishing-and.html<\/a><\/p>\n

Publish Date: 2026-05-23 12:35:00<\/a><\/p>\n

Source Domain: thehackernews.com<\/a><\/p>\n

GitHub Enhances npm Security with Staged Publishing<\/strong><\/p>\n

GitHub has introduced new controls for npm with its staged publishing feature to bolster the security of the software supply chain. This update mandates that package maintainers must perform a two-factor authentication (2FA) challenge and explicitly approve a package before it is publicly available for installation. Instead of the previous direct publishing method, the new approach uploads a prebuilt tarball to a staging queue where it waits for approval from a maintainer before becoming installable. This provides “proof of presence” for every package publish, even from CI\/CD workflows or with OpenID Connect (OIDC) authentication. For using staged publishing, three specific criteria must be met: maintainers must have publish access to the package, the package must already exist on the npm registry, and 2FA must be enabled for the account.<\/p>\n

Developers can implement this by using the “npm stage publish” command from the package’s root directory, which requires updating to npm CLI 11.15.0 or newer. To further enhance security, GitHub recommends pairing staged publishing with trusted publishing that uses OIDC. Additionally, npm has introduced three new install source flags\u2014–allow-file, –allow-remote, and –allow-directory\u2014allowing developers to enforce an explicit-allowlist strategy for non-registry install sources. These improvements come on the heels of a significant uptick in software supply chain attacks targeting open-source software ecosystems.<\/p>\n

Key Points:<\/strong><\/p>\n